Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[initializer] Fix issue with publicly signed SCM's on a self-signed Gitpod instance #10280

Merged
merged 1 commit into from
May 30, 2022
Merged

[initializer] Fix issue with publicly signed SCM's on a self-signed Gitpod instance #10280

merged 1 commit into from
May 30, 2022

Conversation

Pothulapati
Copy link
Contributor

@Pothulapati Pothulapati commented May 26, 2022
edited
Loading

Description

As per the issue, Using only GIT_SSL_CAINFO seems to prevent the
git intializer from reading any of the default certs from the system's trust root
causing problems with publicly signed SCM's.
Though, I couldn't find any documentaiton specifying this but the behaviour
seems to be that as per various issues in discord, etc and my own testing.

Setting only GIT_SSL_CAPATH to /etc/ssl/certs seems to cause problems
with self-signed SCM's even if the certificate is under /etc/ssl/certs. It throws
the same unknown self signed certificate which means it is not at all reading
the custom cert and probably only reading the certs.pem bundle.

Setting them both i.e GIT_SSL_CAINFO to the custom cert, and GIT_SSL_CAPATH
to the default cert trust store seems to be the only way to get both publicly signed
and self signed SCM's to work.

Signed-off-by: Tarun Pothulapati [email protected]

Related Issue(s)

Fixes #10173

How to test

Spin up a self-signed gitpod instance, and authenticate it with
both a self-signed SCM and a public SCM.

An Instance up and running at tarun.gitpod-self-hosted.com

Release Notes

[initializer] Fix issue with publicly signed SCM's on a self-signed Gitpod instance

Documentation

@Pothulapati
Copy link
Contributor Author

Pothulapati commented May 26, 2022
edited by werft-gitpod-dev-com bot
Loading

/werft run publish-to-kots

👍 started the job as gitpod-build-tar-certs.1
(with .werft/ from main)

@Pothulapati
Copy link
Contributor Author

Pothulapati commented May 29, 2022
edited by werft-gitpod-dev-com bot
Loading

/werft run publish-to-kots

👍 started the job as gitpod-build-tar-certs.3
(with .werft/ from main)

@Pothulapati
Copy link
Contributor Author

Pothulapati commented May 29, 2022
edited by werft-gitpod-dev-com bot
Loading

/werft run publish-to-kots

👍 started the job as gitpod-build-tar-certs.5
(with .werft/ from main)

@Pothulapati Pothulapati changed the title [initializer] Replace GIT_SSL_CAINFO with GIT_SSL_CAPATH [initializer] Fix issue with publicly signed SCM's on a self-signed Gitpod instance May 30, 2022
@Pothulapati
Copy link
Contributor Author

Pothulapati commented May 30, 2022
edited by werft-gitpod-dev-com bot
Loading

/werft run publish-to-kots

👍 started the job as gitpod-build-tar-certs.6
(with .werft/ from main)

@Pothulapati
[initializer] Replace GIT_SSL_CAINFO with GIT_SSL_CAPATH
ccc4eb8 
Fixes #10173

Using `GIT_SSL_CAPATH` means that we will continue to support
publicly signed SCM's even when we have a `customCA` configured.

Signed-off-by: Tarun Pothulapati <[email protected]>
@Pothulapati
Copy link
Contributor Author

Pothulapati commented May 30, 2022
edited by werft-gitpod-dev-com bot
Loading

/werft run publish-to-kots

👍 started the job as gitpod-build-tar-certs.8
(with .werft/ from main)

@Pothulapati
Copy link
Contributor Author

Pothulapati commented May 30, 2022
edited by werft-gitpod-dev-com bot
Loading

/werft run publish-to-kots

👍 started the job as gitpod-build-tar-certs.9
(with .werft/ from main)

@Pothulapati Pothulapati marked this pull request as ready for review May 30, 2022 07:42
@Pothulapati Pothulapati requested review from a team May 30, 2022 07:42
@github-actions github-actions bot added team: delivery Issue belongs to the self-hosted team team: workspace Issue belongs to the Workspace team labels May 30, 2022
csweichel
csweichel approved these changes May 30, 2022
View reviewed changes
Copy link
Contributor

@csweichel csweichel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did not test, but code LGTM

@roboquat roboquat merged commit 77279a8 into main May 30, 2022
@roboquat roboquat deleted the tar/certs branch May 30, 2022 08:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@corneliusludmann corneliusludmann corneliusludmann approved these changes

@csweichel csweichel csweichel approved these changes

Assignees
No one assigned
Labels
release-note size/S team: delivery Issue belongs to the self-hosted team team: workspace Issue belongs to the Workspace team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[selfhosted] Setting a CA file ignores all public Root CAs
4 participants
@Pothulapati @csweichel @corneliusludmann @roboquat